This article examines whether anonymity online has a future. In the early days of the Internet, strong cryptography, anonymous remailers, and a relative lack of surveillance created an environment conducive to anonymous communication. Today, the outlook for online anonymity is poor. Several forces combine against it: ideologies that hold that anonymity is dangerous, or that identifying evil-doers is more important than ensuring a safe mechanism for unpopular speech; the profitability of identification in commerce; government surveillance; the influence of intellectual property interests and in requiring hardware and other tools that enforce identification; and the law at both national and supranational levels. As a result of these forces, online anonymity is now much more difficult than previously, and looks to become less and less possible. Nevertheless, the ability to speak truly freely remains an important ‘safety valve’ technology for the oppressed, for dissidents, and for whistle-blowers. The article argues that as data collection online merges with data collection offline, the ability to speak anonymously online will only become more valuable. Technical changes will be required if online anonymity is to remain possible. Whether these changes are possible depends on whether the public comes to appreciate and value the option of anonymous speech while it is still possible to engineer mechanisms to permit it.

The organizers selected me to give the keynote for the workshop, and I’ve produced a provocation for them. Here is the introduction:

Users are notoriously bad at safeguarding their online privacy. They do not read privacy policies, which in any case are mostly contracts of adhesion. They make over-optimistic assumptions about protections and dangers.[15] They use weak passwords (and repeat them), accept cookies, and leave their cell phones on thus facilitating location tracking, which is vastly more destructive to privacy than almost any user grasps. [8] Contrary to Alan Westin’s privacy segmentation analysis [31], most privacy choices are not knowing and deliberate because they are not within the user’s control (e.g. surveillance in public). Other ‘choices’ happen because users believe, correctly, that they in fact have no choice if they want the services (e.g. Google, mobile telephony) that large numbers of consumers consider necessary for modern life. [27]

The systematic exposure of the so-called “privacy vulnerable” user [27] suits important public and private interests. Marketers, law enforcement, and (as a result) hardware and software designers tend towards making technology surveillance-friendly and tend towards making communications and transactions easily linkable.

If we each have only one identity capable of transacting–even if it is mediated through multiple logins–and if our access to communications resources, such as ISPs and email, requires payment or authentication, then all too quickly everything we do online is at risk of being linked to one master dossier. The growth of real-world surveillance, and the ease with which cell phone tracking and face recognition will allow linkage to virtual identities, only adds to the size of that dossier. The consequences are that one is, effectively, always being watched as one speaks or reads, buys or sells, or joins with friends, colleagues, co-religionists, fellow activists, or hobbyists. In the long term, a world of near-total surveillance and endless record-keeping is likely to be one with less liberty, less experimentation, and certainly far less joy [16] (except maybe for the watchers). In a country such as the US where robust data-protection law is deeply unlikely, a technological solution is required if privacy is to continue to be relevant in the era of big data; one such, perhaps the best such, technological improvement would be to create an IMA designed to give every person multiple privacy-protective transaction-empowered digital personae. Roger Clarke provides a good working definition of the “digital persona” as “a model of an individual’s public personality based on data and maintained by transactions, and intended for use as a proxy for the individual.” [4]

Whereas Clarke presciently saw (and critiqued) the ‘dataveillance’ project as being an effort to create a single, increasingly accurate, digital persona connected to the person, the objective here is to undermine that linkage by having multiple personae that would not be as easy to link to each other or to the person.

I neglected to link to Lessons Learned Too Well: Anonymity in a Time of Surveillance, the paper I’m presenting at #yalefesc. A very very small number of people will recognize this as a partial redraft of a paper I started a few years ago, but never published because it didn’t seem quite right. My plan is to get it as right as I can in the next few months, which is why I’m workshopping it.

Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.

The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.

The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties.

The conclusion is simple, but powerful: “The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.”

US law has remarkably little to say about mass surveillance in public, a failure which has allowed the surveillance to grow at an alarming rate – a rate that is only set to increase. This article proposes ‘Privacy Impact Notices’ (PINs) — modeled on Environmental Impact Statements — as an initial solution to this problem.

Data collection in public (and in the home via public spaces) resembles an externality imposed on the person whose privacy is reduced involuntarily; it can also be seen as a market failure caused by an information asymmetry. Current doctrinal legal tools available to respond to the deployment of mass surveillance technologies are limited and inadequate. The article proposes that — as a first step towards figuring out how to understand, value, and ultimately regulate this mass-privacy-destroying behavior — we should borrow from the environmental movement and require anyone planning a large-scale public data collection program to file a Privacy Impact Notice (PIN). The PIN proposal is contrasted to the existing much more limited federal privacy analysis requirement, known as Privacy Impact Assessments. The bulk of the article then explains how PINs would work and defends the idea against three predictable critiques (the claim that there is a First Amendment right to data collection, the claim that EISs are a poor policy tool not worthy of emulation, and the claim that notice-based regimes are in general worthless). It argues that PINs have applications to surveillance and data-collection in online public spaces such as Facebook, Twitter, and other virtual spaces. It also considers what the PINs proposal would have to offer towards addressing the now-notorious problem of the NSA’s drift-net surveillance of telephone conversations, emails, and web-based communications.

Modeling mass surveillance disclosure regulations on an updated form of environmental impact statement will help protect everyone’s privacy: Mandating disclosure and impact analysis by those proposing to watch us in and through public spaces will enable an informed conversation about privacy in public. Additionally, the need to build consideration of the consequences of surveillance into project planning, as well as the danger of bad publicity arising from excessive surveillance proposals, will act as a counterweight to the adoption of mass data collection projects, just as it did in the environmental context. In the long run, well-crafted disclosure and analysis rules could pave the way for more systematic protection for privacy – as it did in the environmental context. Effective US regulation of mass surveillance will require that we know a great deal about who and what is being recorded and about the costs and benefits of personal information acquisition and uses. At present we know relatively little about how to measure these; a privacy equivalent of environmental impact statements will not only provide case studies, but occasions to grow expertise.